[RPKI-Discuss] AFRINIC now supports RFC 8182 (RPKI Repository Delta Protocol)

Ben Maddison benm at workonline.africa
Tue Mar 31 12:36:57 UTC 2020

Hi Amreesh,

On Tue, 2020-03-31 at 13:10 +0400, Amreesh Phokeer wrote:

> Dear colleagues,


> AFRINIC is pleased to announce that we now support the RPKI

> Repository Delta protocol (RFC 8182). Our RRDP repository is also now

> live at https://rrdp.afrinic.net/notification.xml.

> The deployment was completed on 30 March 2020 at 14.30 UTC.


That is great news, well donw. Down with rsync ;-)

> The release of this new feature required AFRINIC to regenerate the

> root certificate and all underlying certificates to inject the new

> RRDP Subject Information Access (SIA) entry. The regeneration of the

> whole AFRINIC certificate tree is a delicate operation and all the

> necessary measures were taken to ensure it runs smoothly.

> Unfortunately, during the deployment process, our repository was

> inconsistent for about two hours. The inconsistency was caused by a

> configuration error in our deployment scripts, an issue that we

> rapidly identified and rectified. The repository state was restored

> after the deployment was completed.


Thanks for the post-mortem, that certainly makes sense.
Reading https://github.com/RIPE-NCC/rpki-validator-3/issues/161, it
appears that the same manifest URI was accidentally placed into the SIA
extension of multiple resource certs. Is that correct?

As I noted on yesterday's thread, our RIPE validators were blissfully
unaware that anything was amiss! If the above is correct, then it's
kinda bizarre that it didn't break.

> We will ensure that extra precautionary measures are taken to ensure

> seamless RPKI deployment in the future, knowing the criticality of

> the system. Please note that deployment was done under special

> circumstances where access to our offline system was limited to one

> staff due to the ongoing curfew in Mauritius. The rest of the

> deployment team was remote.


What kind of precautions do you have in mind?
I'd like to know what this type of activity *should* look like going
forward, so that we can distinguish intentional operational actions
from outages.



More information about the RPKI-Discuss mailing list